Email this article to a friend

Associations press House to change cyber supply chain law

About a dozen industry associations are asking Congress to change the law
prohibiting agencies under the Commerce, Justice, Science appropriations bill from
buying technology or services from a company that is owned, directed or subsidized
by China.

In a letter to House Appropriations Committee
leaders, the technology associations are asking lawmakers to adopt the language in
the Senate's version of the fiscal 2014 Commerce, Justice, Science spending bill
that would let agencies make risk-based
decisions about from whom they purchase technology.

Under the Senate's language, the agencies under Commerce, Justice, Science along
with NASA and the National Science Foundation must first review "the supply chain
risk for the information systems against criteria developed by the National
Institute of Standards and Technology to inform acquisition decisions for high-
impact information systems within the federal government and against international
standards and guidelines, including those developed by NIST; reviewed the supply
chain risk from the presumptive awardee against available and relevant threat
information provided by the FBI and other appropriate agencies; and developed, in
consultation with NIST and supply chain risk management experts, a mitigation
strategy for any identified risks."

The associations called the Senate's approach a collaboration among lawmakers,
industry experts, security professionals and others that supports "a common-sense
alternative approach that would focus on real risks-an approach that can improve
security of government information systems without putting unnecessary regulatory
and economic burdens on industry."

House Appropriations Subcommittee on CJS initially put the provision in the 2013
consolidated appropriations bill after Rep. Frank Wolf (R-Va.), the chairman of
the subcommittee, after a series of cyber incidents linked back to computers
hosted in China.

In 2007, Wolf said hackers based in China broke into his offices' computers and
stole information.

In March, Wolf announced the FBI was investigating whistleblower reports that
the agency allowed a Chinese national inside access to sensitive information, and
that the data may have made its way back to the Chinese mainland.

In October, Wolf called for stiffer penalties against countries or organizations
that threaten the national security of the country.

"China's cyber espionage and theft of industrial trade secrets puts all of
America's other adversaries to shame," Wolf said at a cybersecurity summit in
Vienna, Va. "The Russians and Iranians and the North Koreans don't even come
close. The PLA has put the KGB's Cold War espionage campaigns against the U.S. to
shame. And yet, despite all of the recent public attention, the public response is
surprisingly muted. In certain quarters of the media, government and even business
community, there's even an air of acceptance — as if this is just a fact of
life in the 21st Century."

An email to Wolf asking for comment on the associations' letter was not
immediately returned.

The technology and business associations say the amendment from 2013 has some
unintended consequences.

The groups wrote, "Agencies cannot prioritize security resources on riskier IT
systems, which spreads these resources thinly at the expense of important mission-
critical systems. Instead, the law focuses limited federal cybersecurity resources
on a country-of-origin determination, rather than actionable cyber risks and
threats, and the actual security profile of the IT product. Identifying a
particular country-of origin does not determine the security of IT products;
rather, security is truly a function of how a product is made, rather than where
it is produced. Further, the law has unnecessarily slowed federal purchases of
needed security technologies, putting key federal agencies behind the technology
cycle and leaving them vulnerable. Some U.S. companies have had to cease, or
interrupt, work at agencies with which they partner on projects significant to
national security."